As a healthcare network with 45 hospital campuses, Adventist Health System must adhere to very strict compliance requirements intended to protect personal health information. During a recent migration from a legacy Microsoft Exchange system to Office 365 in the cloud, they realized that they needed to create a plan for HIPAA compliance as they plotted their move to the cloud with new services like OneDrive.

One of the big challenges facing Adventist Health Systems was finding a way to provide their users with a way to securely store and share large quantities of very large documents. In order to overcome this challenge, Adventist Health System planned to utilize OneDrive as their file sharing and collaboration platform and saw a quick adoption of the service from their users. While migrating to OneDrive and SharePoint online, it became apparent that there were multiple file sharing services in use across the enterprise and Adventist Health System realized that they needed to take a step back and start by gaining visibility into all their current cloud usage.

“It really became a question of what are we using?” said Mark Dunkerley, Manager of Messaging, Mobile and Video Services. “We had quite a few questions about what other file sharing solutions were being used and by whom.” To discover this, the team at Adventist Health System implemented Skyhigh for Shadow IT and immediately found that they had over 2,000 cloud services in use throughout the enterprise.

Adventist Health System started evaluating their 2,000+ cloud services categorically, which was an eye-opener for Dunkerley, who was surprised at both the number and the variety of services in use. “I’ve spent a lot of time in IT and there are a lot of services being used that I am not familiar with. It is amazing to see how much data is being uploaded,” he said.

Skyhigh provides Dunkerley and his team with the information and visibility needed to start administering policies around acceptable use. “We now have the information we need to execute, and can train users on the benefits of using the appropriate applications,” says Dunkerley. This has enabled Adventist Health System to drive consolidation by coaching users over to OneDrive, which not only improves collaboration, but also reduces the number of services in use, making compliance policy enforcement easier.

With Shadow IT usage under control, Adventist Health System began enforcing security, compliance, and governance policies for their sanctioned services like Office 365. As a large healthcare organization it is imperative for the team at Adventist Health System to know exactly where their data is going in order to ensure compliance with HIPAA and HITECH.

Our real concern is around controlling access to personal health information. By implementing Skyhigh, we have more visibility and more control over the usage of file sharing services, – Mark Dunkerley

Following consolidation, Adventist Health System identified several required security and compliance use cases and determined that they would need to use a Cloud Access Security Broker (CASB) in order to support them. They began using Skyhigh for Office365, which has allowed them to leverage their existing investments in data classification technology and policies and extend their current data loss prevention policies to Office 365 in order to meet compliance requirements. When a sensitive data is identified en route to OneDrive or SharePoint, they now have the option of alerting a security and compliance advisor, quarantining the document for further review, or, encrypting the document with keys that they manage.

In addition to DLP, they can use Skyhigh to control who has access to sensitive data based on their role in the organization and the device they are using. For example, users on managed devices may be permitted to download sensitive content that users on unmanaged devices cannot. Furthermore, they can enforce policies regulating the sharing of sensitive data so that confidential information is only shared internally or with trusted partners with valid business email addresses, rather than personal emails address from gmail or hotmail.com.

Beyond compliance, they can also leverage Skyhigh to monitor activity and proactively identify the behavioral patterns of misuse, whether it is from a compromised account or internal user.

Best of all, according to Adventist Health System, is that all of their policies are enforced on the back-end, so that all users, whether on managed devices on-premises or on unmanaged devices remotely, can access Office 365 just as they always have without the need to use a VPN or to install new agents or PAC files on their devices.

This has proven to be extremely valuable and is enabling Adventist Health System to move to the cloud confidently. Dunkerley now regularly shares data from Skyhigh with executives and leaders from across different business units to proactively provide a more productive and secure work environment.

HIPAA-HITECH Compliance Guide

Download to learn about the requirements of HIPAA-HITECH, steps needed to become compliant, and the penalties for non-compliance.